Risk Leadership Network hosted five collaborative Member meetings this week, bringing together Members who represent some of the world’s largest corporates to explore everything from insurance renewals, emerging risk frameworks to supply chain risk management.
Members shared their practical experiences, benchmarked approaches and explored new thinking.
I had the pleasure of chairing a meeting of six Members in which we explored critical controls testing in line one teams. Here are some of the notes I took from that meeting:
1. Control ownership
Organisations are focusing considerable effort on embedding control ownership and accountability in the first line. This is seen as a critical cultural step to ensuring control effectiveness, which can greatly improve an organisation's ability to detect changes in risks in a timely manner: is the control working as intended?
2. Define critical controls
It’s important to spend time devising and defining critical controls with first line operations. There should be strong collaboration between group and site operations who bring different perspectives.
For instance, experts at a group level generally have a lot of experience and take a holistic or ‘systems thinking’ view. They can have valuable technical expertise but they may not be as close to operational realities on each site. In addition, site experts can get stuck into group think, lack deeper expertise and could end up with SMEs who only have experience of that site.
3. Map out controls
Time needs to be spent mapping controls to business processes and strategic objectives to ensure it is clear what teams do, why they do it and how it all fits together and collectively manages the risk.
4. Categorise your controls
Clear agreement on what a control is and what constitutes ‘critical’ is very important. Consider grouping controls in these groups:
- Directly affect business performance
- Enables these direct controls
- Measures, checks or verifies control and process performance
Critical controls and enablers would have management and verification regimes, while critical checks would introduce ‘go’ or ‘no go’ parameters and stop work decision points.
5. Know what requires rigorous and intensive management
Some controls are sufficiently important that they require more rigorous / intensive management. These might be controls that manage a material risk, materially contribute to managing the risk, and be sufficiently reliable and effective to address the nature of the risk.
6. Don’t over complicate your control ratings
Control effectiveness is all about balance. Don't over-complicate how you rate control effectiveness but do give some thought about how individual control ratings get taken into account at the risk level. For example, if control number three of four fails and action is put in place how do you reassess the risk when it gets completed and your other three control assessments have presumably aged.
7. Build in efficiencies
Efficiency in control design is important and is a contributor to the overall success of the programme. Don’t have layers of controls with the lower order ones being largely ineffective or redundant.
8. Establish your frequency
Consider what kind of frequency of monitoring you are going to drive and is it commensurate with how quickly the control can fail?
9. Effective vs ineffective: define your thresholds
It's very important to help control owners in the first line with how they make the assessment of effectiveness. Allowing too much judgment by control owners can bring unwanted variability to the assessments.It’s also important to pre-determine the threshold at which a control goes from effective to ineffective. Again risk management can play an important supporting role in this. This is particularly important when dealing with a multitude of geographies, regions or locations.
10. Investigate control technologies
Many firms are using mobile based technologies to ease the administrative burden on the first line to streamline data capture and automatically trigger workflows / work orders to remediate control deficiencies.
Technology is also likely to play an important role in how control owners manage control effectiveness and what it means to the risk, particularly in organisations that conduct a lot of field observations. There are a number of different technology solutions available that can support this.
11. Simplify the auditing process
Don't fall down the trap of creating an army of auditors that are triggered by control assessments. In a perfect world, the technology would monitor certain measures/criteria and notify the owner that the control has failed. Most systems send out requests for the control owner to go out and effectively audit adding administrative burden and introducing drag in your ability to detect control and action issues in a timely manner.
12. Define the risks to monitor
Think long and hard about the risks that require control monitoring because it could amount to a lot of resourcing. Make sure you also scale expectations of what can be delivered. Use fundamental principles such as the ‘80/20’ rule. And ensure you use the right language, such as changing ‘my’ to ‘our’. It gives people a greater sense of ownership.
Are you an in-house risk manager who could benefit from access to a global network of risk leaders? Talk to us about becoming a Member today.
